We are in the process of upgrading our last 12.0 system to the latest 12.7 release, including an upgrade to FIPS-only encryption. The user directory is Oracle LDAP 11.1.1.7.0. We have a roadblock where the new 12.7 seems to not be recognizing the old passworddata blob (the field used to store the last 10 passwords). But it is able to re-initialize it with the stronger encryption protocol: [OLD] password data: 0xJ3IXvGQFz6 [NEW] passworddata: {AES}agGn0JPdkF…. What is the best way and/or the quickest to get all the password data blob fields re-encrypted before getting the 12.7 live in Production?

Cause:

Policy server encryption key was accidentally changed during upgrade, preventing policy server from reading the passworddata field (blob). The FIPS upgrade complicates things a bit. Normally the password blob would be converted to FIPS the next time each user logs in, but the incorrect encryption key resulted in improperly converted values that need to be corrected.

Password blobs that have been converted to FIPS will have [AES] in front of their values.

Resolution:

Reset the encryption key. Delete and re-import the policy store data. The password blob data will be converted to FIPS as each user logs in.